Search form

You are here

New Trojan Downloader Covers Tracks, Hard to Detect

by Brandon Dimmel on April, 25 2013 at 08:04AM EDT

Security researchers have discovered a new type of Trojan downloader capable of covering its tracks by deleting the files it downloads. That makes it harder for security experts to find and remove the downloader.

The downloader, which is called Win32 / Nemim.gen!A, shows how malware writers are producing progressively more sophisticated tools. By deleting all of the files it downloads and uses, this Trojan makes it almost impossible to recover, isolate, and analyze component files.

Sophisticated Malware Difficult to Confront

According to Microsoft Malware Protection Center researcher Jonathan San Jose, that makes it very difficult for security experts to deal with the Trojan.

"During analysis of the downloader, we may not easily find any downloaded component files on the system," San Jose said in a recent blog post.

"Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file." (Source: technet.com)

Microsoft says that the Trojan is designed to infect executable files in removable drives. By doing this, it can release a special tool capable of stealing passwords for email accounts, instant messenger accounts, and other services.

This Trojan downloader is also unique because it doesn't just deliver the core malware. Instead, the downloader remains a critical part of the operation even after a system has been infected.

Malware Artists Covering Their Tracks

According to Lumension forensic analyst Paul Henry, this is just another example of the unique steps being taken by malware artists to hide their tools from security researchers.

"Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today," Henry said. (Source: pcworld.com)